[dapper,CVE,1/1,SCSI] gdth: integer overflow in ioctl, CVE-2010-4157

Message ID 1296649653-7523-2-git-send-email-apw@canonical.com
State Accepted
Commit 31f60ae474a9f789911cbbe4206a672972823866
Headers show

Commit Message

Andy Whitcroft Feb. 2, 2011, 12:27 p.m.
From: Dan Carpenter <error27@gmail.com>

gdth_ioctl_alloc() takes the size variable as an int.
copy_from_user() takes the size variable as an unsigned long.
gen.data_len and gen.sense_len are unsigned longs.
On x86_64 longs are 64 bit and ints are 32 bit.

We could pass in a very large number and the allocation would truncate
the size to 32 bits and allocate a small buffer.  Then when we do the
copy_from_user(), it would result in a memory corruption.

CC: stable@kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>

BugLink: http://bugs.launchpad.net/bugs/711797
(back ported from commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4)

Adds additional checks for the unit number which is also passed in from

Signed-off-by: Andy Whitcroft <apw@canonical.com>
 drivers/scsi/gdth.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)


diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
index b9aea77..5d8c626 100644
--- a/drivers/scsi/gdth.c
+++ b/drivers/scsi/gdth.c
@@ -4984,7 +4984,19 @@  static int ioc_general(void __user *arg, char *cmnd)
         gen.ionode >= gdth_ctr_count)
         return -EFAULT;
     hanum = gen.ionode; 
+    if (hanum >= MAXHA)
+	return -EINVAL;
     ha = HADATA(gdth_ctr_tab[hanum]);
+    if (!ha)
+	return -EINVAL;
+    if (gen.data_len > INT_MAX)
+        return -EINVAL;
+    if (gen.sense_len > INT_MAX)
+        return -EINVAL;
+    if (gen.data_len + gen.sense_len > INT_MAX)
+        return -EINVAL;
     if (gen.data_len + gen.sense_len != 0) {
         if (!(buf = gdth_ioctl_alloc(hanum, gen.data_len + gen.sense_len, 
                                      FALSE, &paddr)))